Q&A on Encryption with Aamir Lakhani
Encryption remains a hotly debated topic of discussion in cybersecurity. Fortinet’s Aamir Lakhani offers some perspective on what customers think about encryption today and going forward.
Why is encryption currently such a hot topic?
Privacy is a major concern right now. The Edward Snowden leaks in 2013 made people more aware than ever about their lack of privacy. They have also raised such questions as: Do we have a fundamental right to privacy? How far do we protect privacy? In the past, with the proper court orders and legal documentation, law enforcement has always been able to access information, from bank accounts to credit card information to communications. Now, some people believe that their phone, email, and other electronic “conversations” should not be subject to the same sort of legal search. Should we allow companies to build impenetrable privacy technology? If we do, are we giving up the ability to investigate and possibly prevent criminal activities, or even terrorist activities? The recent Apple vs FBI dispute over encryption of the iPhone brought that question to the forefront.
So encryption is a buzzword right now because people are concerned about their privacy, and they don’t want people to spy on their conversations. On the other hand, we’ve seen terrorists use encryption to hide their conversations, and we’ve seen our law enforcement agencies have a difficult time dealing with that, and that worries people. So we’ve got these two competing interests that are making encryption such a hot topic.
What is the best practices thinking on encryption?
We’ve always preached encryption on the commercial/enterprise side of things, but the ironic thing is that right now we’ve got more security on the consumer side. Applications like Apple iMessage, WhatsApp Messenger, and Telegraph have made it easy to encrypt communications end to end, while in the enterprise it’s still very difficult. The lesson here is that on the enterprise side we need to make it as seamless as WhatsApp has made it for individual users.
The challenge is that we tend to look for easy solutions to problems, which often means buying a box and sticking it on the network. Which ironically often simply make things more complicated. It can be hard, even for a professional, to take a step back and look at a problem from end to end. And unfortunately, in most organizations the few people in a position to do that tend to be so high level and so detached from everyday operations that they don’t understand what it takes to look at security holistically, as an ecosystem - while the people that do have the necessary technical security skills tend to hyperfocus on a single point product or solution. We need the best of both worlds. We need to be able to take a step back, but also to be able to build security in an ecosystem and understand how it works, not only with regards to encryption, but with all the other aspects of security, including authentication, authorization, and segmentation.
What is happening globally with regards to encryption?
Encryption has traditionally been expensive, but globally there has been a movement to make some kind of encryption and protection available everywhere, and to make it easier and cheaper to access. The “Let’s Encrypt” project (www.letsencrypt.org) is a very popular project that is providing websites everywhere with the ability to have encryption. It takes the cost and complexity out of implementing technology like TLS and SSL. Globally, people are now seeing the benefits of encryption, like protecting your privacy in countries where you have censorship issues. In countries with less freedom than ours, encryption gives you the freedom to go where you want to go without ramifications.
Let’s Encrypt, while not necessarily an easy solution, is not any harder to implement than anything else that’s out there, and it’s a free, open source solution, so I think we’ll see it gain in popularity.
With these types of projects, it’s easy to imagine that in a few years all sites will be HTTPS. Why have we not seen that yet?
Once you have HTTPS, you lose some visibility into data, traffic, and usage, and that information is extremely valuable to ISPs and website owners. These people mine that data and sell intelligence gleaned from it to advertisers, agencies, and research firms. Because of that, perhaps there’s not enough motivation, even among people who understand how easy it is to implement encryption, to insist on it. And it’s not just service providers. Even website owners, if they implement pure encryption, could lose a lot of the insight they’re getting on traffic statistics and who their users are.
The other thing holding back the use of HTTPS is a lack of understanding of what it takes to actually implement these solutions. Too many people believe that it’s a lot more complicated to implement encryption than it actually is.
What’s the future for encryption?
We’re witnessing an evolution in both encryption standards and encryption technology. Encryption has traditionally been very expensive from a processor and performance standpoint. But given recent developments, a lot of those expense concerns are going away. Soon, they won’t be valid arguments anymore.
We’re also seeing more elliptical curve cryptography, where the encryption is not enhanced linearly but logarithmically. Encryption is becoming more complex, providing better protection, to the point where it is becoming very difficult for attackers, or even legitimate companies, to break encryption or even analyze traffic within an encrypted tunnel. People are looking to implement these new elliptical curve-type encryption algorithms, but there are a lot of issues with patents and trademarks slowing it down right now. The industry is new and people are trying to figure out what the next generation of encryption will be.
A lot of the encryption we’ve seen historically has been breakable, but it’s been breakable due to the implementation of the encryption, and not necessarily because of the math behind it. Software, human error, and incorrect configuration can all introduce bugs that cause encryption to fail. I think some kind of automation is going to solve that. Given all the recent advances in Artificial Intelligence, perhaps some kind of AI machine language will be able to test encryption faster and solve or even avoid current issues.
Let me finish by saying, however, that encryption is not the answer to everything. For example, poor security means that an encrypted tunnel can be used as a secure delivery mechanism for malware. Encryption is a critical tool in a holistic security strategy that covers the entire distributed network.